Onapsis Puts the Process of Security to Work for Oracle E-Business Suite

Complementing Oracle’s security toolsets to deliver deeper, more actionable recommendations

An Interview with Michael Miller, Senior Security Architect, Onapsis

Sponsored Content, January/February 2019

A proven market leader in cybersecurity, Onapsis offers solutions to automate the monitoring and protection of enterprise resource planning (ERP) systems, keeping these businesscritical applications compliant and safe from insider and outsider threats. Global enterprises trust Onapsis to protect the essential information and processes that run their businesses.

Michael Miller, Senior Security Architect, Onapsis

Experts at the Onapsis Research Labs are instrumental in helping popular ERP solution providers such as Oracle uncover and address security vulnerabilities. Their patented technology is well known industrywide and has gained Onapsis recognition on the Deloitte Technology Fast-500, as a Red Herring North America Top 100 company, and as a SINET 16 Innovator.

Q: We’re seeing constant evolution in the threat landscape, from hacktivist groups to nationstate sponsored actors. New entities are increasingly targeting internal ERP applications. What is the Onapsis strategy to combatting these new threats?

A: Although the business benefits provided by ERP solutions such as Oracle E-Business Suite are immense, the complexity of supporting and securing these sophisticated solutions can be an issue. Everything we do here at Onapsis is about the process of security. No one team, tool, technique, or vendor is going to secure you. Security is only created by you, your teams, and your people following processes—and often using tools. What we do here at Onapsis is think about those processes and consider how we can make people work smarter, add value, and create solutions.

Q: How does Onapsis work with ERP leaders like Oracle to put this strategy into motion?

A: Our relationship with Oracle and other industry leaders is based on a productive, ongoing dialogue. Oracle offers a variety of tools to help clients build stronger security processes, such as the Oracle Advanced Security option, Oracle Database Vault, and Oracle Audit Vault and Database Firewall. All of these products are excellent tools and work superbly with ERP platforms such as SAP, PeopleSoft, and Oracle E-Business Suite. We do our best to make clients aware of them and how Onapsis complements them to strengthen overall security.

Our research organization maintains close communication with Oracle. For example, Oracle’s April 2018 Critical Patch Update included 254 security patches— 176 of which were reported by Onapsis after discovery in our research labs. ERP applications are complex, and our objective is to offer clients a security and compliance solution, so they can operate their environments with more security and sleep easier at night.

Q: How do Onapsis solutions build on the capabilities that Oracle’s own tools deliver?

A: Onapsis complements Oracle’s robust security tools with a platform that acts as a lens by and for security and risk professionals, as well as technologists, to deliver a centralized view and provide the insights they need to get their teams working together harmoniously. For ERP systems, we simplify some of the technical data, while at the same time pulling back to provide the level of granularity for those people who need it.

Your company’s crown jewels sit in the Oracle database, which can be exploited through ERP application vulnerabilities. Onapsis gives you visibility into those applications, identifies the vulnerabilities, and helps you mitigate the risks to keep your company’s most critical assets secure.”–Michael Miller, Senior Security Architect, Onapsis

Q: Organizations have access to many security tools that examine their ERP databases. What makes the Onapsis solution and approach different?

A: The Onapsis platform is more than just a scanner that looks only at the database. Our focus is very much on the applications. It’s the blind spots in the application layer that the traditional security tools aren’t really identifying. We find those blind spots, running scheduled scans and automating that process, to uncover vulnerabilities and provide recommendations on what to do. We are looking to provide a holistic sense of risks involved in operating an ERP platform such as Oracle E-Business Suite.

We are giving clients complete visibility into how their ERP applications are secured. Your company’s crown jewels sit in the Oracle database, which can be exploited through ERP application vulnerabilities. Onapsis gives you visibility into those applications, identifies the vulnerabilities, and helps you mitigate the risks to keep your company’s most critical assets secure.

Q: Uptime is especially critical for ERP applications that support an organization’s most essential business processes. How do you help organizations prioritize their security choices?

A: We triage the risk and present information so that it can be applied directly to decisionmaking. Every organization has limited time and resources, and they need to understand how to best spend their next dollar, or their team’s next hour. They’re thinking about whether they need to apply a particular set of patches, or work through configuration changes and test those for safe operation. Onapsis provides automation to help them avoid the need to manually examine all their security configuration variables and free up resources for more strategic tasks.

Q: Given the tremendous scale and complexity of many Oracle E-Business Suite environments, what strategic steps would you recommend to help an organization move forward in terms of security strategy?

A: There are four security strategies I recommend for organizations wanting to establish their own process of security.

1. Implement defense in depth, which is a time-tested recommended best practice. Consider one of Oracle’s security offerings such as Oracle Advanced Security to strengthen your security in depth. Oracle Advanced Security is a superbly designed, low-risk tool, fully certified for use with ERP solutions such as Oracle E-Business Suite. It provides security functionality such as data-at-rest (encryption). Of particular note, with release 12c, Oracle has done a phenomenal job with the data redaction that comes as part of that option.
2. Run Oracle’s E-Business Suite diagnostics. Within the diagnostics module in Oracle E-Business Suite, there are a number of comprehensive security checklists that you can use. You should absolutely run those if you haven’t. Run them often if you can, ideally on a recurring schedule.
3. Document your processes, whether you are running Oracle E-Business Suite or another solution. Develop a formal policy in writing that identifies the governance and behaviors for securely building, operating, maintaining, and using databases, as well as your ERP product of choice. Once these policies are documented, you can communicate to your employees, as well as to third parties and external auditors, what your process of security is and how you are going about meeting those process requirements.
4. Visit our website and learn more about what we are doing with the process of security, how we are taking that thought process to the next level. If you’re interested in Oracle diagnostics, come take a look at our Onapsis Security Platform—we take that to the next level.

Q: How can readers get a better sense of where they are today, to understand the best ways to enhance their security processes?

A: Onapsis offers a Business Risk Illustration, which is essentially a security compliance assessment for ERP platforms such as Oracle E-Business Suite. We look closely at a client’s security checks, running our Onapsis Security Platform within their environment. For example, with Onapsis Security Platform for Oracle E-Business Suite, we might focus on their development, testing, or QA environments. It takes 30 minutes to install, it’s noninvasive to the Oracle E-Business Suite environment, and it produces a detailed summary report of all existing vulnerabilities.

For more information, visit www.onapsis.com/solutions

Sponsored Content as Seen in Oracle Magazine January/February 2019

Photography by Shutterstock